Version 3.5.0 bug fixes

System

High Availability

Support reference 65701 - 65946

An issue regarding competing access to the high availability tracking file would cause the syncid field to be deleted from this file. The absence of this field would then make members of the cluster repeatedly synchronize their configurations. This issue has been fixed.

Support reference 66802

Within a cluster in which members are of varying quality or a priority has been defined, resetting the firewall with the highest priority or level of quality would immediately cause it to recover its role as the active firewall without fully synchronizing all information. This issue has been fixed with the addition of a timeout that allows synchronizing before switching roles. Set by default to 15 seconds, this timeout can only be modified in command line with the commands CONFIG HA CREATE and CONFIG HA UPDATE. Details of these commands can be found in the CLI SERVERD Commands Reference Guide.

Support reference 67553

Following a HA swap, network equipment from other vendors may ignore gratuitous ARP requests sent by the new active member of the SNS cluster due to an anomaly in the format of such requests (RFC 5944). This anomaly has been fixed.

Support reference 67776

The high availability quality indicator would be skewed whenever an SD card was inserted into a member of the cluster. This issue has been fixed.

Support reference 67832

An anomaly in the operation of the high availability tracking mechanism, which would cause excessive memory consumption, has been fixed.

Quality of Service

Support reference 67879

During the setup of bandwidth reservation or restriction (CBQ), the actual bandwidth would be much lower than the configured bandwidth restriction. This issue has been fixed.

Configuration – Network parameters

Support reference 58987

Firewalls for which no DNS servers have been declared to perform their own name resolution would restart in loop whenever a firmware update was applied. This issue has been fixed.

Authentication

Support references 64844 - 65776

An anomaly in the way brute force attack attempts were counted would prevent the authentication of legitimate users. This anomaly has been fixed.

Configuration restoration

Support reference 58925

An anomaly in the verification of configuration restoration files' validity has been fixed.

Filter - NAT

Support reference 67922

In rules that group a large number of objects, attempts to add extra objects (source, destination, port, etc.) would cause the web administration interface to disconnect.

Filter - NAT – Global policy

Support reference 66325

Whenever the port in an explicit HTTP proxy was changed, it would not necessarily be applied when global filter rules were generated. This anomaly has been fixed.

Proxies

Support reference 66653

Whenever the proxy sent packets to an ICAP server through a filter rule in firewall mode, it would cause latency issues during web browsing. This issue has been fixed.

Support reference 67713 - 67924

During the initialization of the SMTP proxy's logging mechanism, checks for the existence of an active filter policy would cause the SMTP proxy to freeze.

SSL VPN – UDP

Support reference 67293

The VPN SSL over UDP service would occasionally fail to function with configurations that have several Internet access gateways or several IP addresses on the same interface. To resolve these issues, a field has been added to the VPN > SSL VPN module, allowing the definition of a listening IP address on the service over UDP.

Support reference 66315

The Export the configuration file button would allow exporting archives that contain the server's configuration. Since such archives cannot be used, they have been replaced with an archive containing the client's typical configuration (SSL VPN CA and server certificate, network configuration for the client and the mobile client), similar to the one available on the authentication portal.

Sandboxing

Support reference 57407

After a firewall has been restarted, files would not always be sent for sandboxing analysis (Breach Fighter). This issue has been fixed.

Network

DHCP relay

Support reference 66767

In configurations that use the DHCP relay, enabling WiFI interfaces would prevent the relay of DHCP requests sent from these WiFi interfaces. This issue has been fixed.

Interfaces

Support reference 58822

In a configuration such as the following:

  • Several unprotected interfaces are included in a bridge, and
  • A static route leaves one of these unprotected interfaces (other than the first).

The first network packets that need to use the static route would be wrongly sent to the bridge's first unprotected interface.

Even though this issue has been fixed, do note that the case described in this configuration is not supported (cf. Explanations on usage > Network > Interfaces).

Intrusion prevention

HTTP

Support reference 65592

Previously, the HTTP headers "Content-Security-Policy" and "Authorization: NTLM" likely to raise the block alarm "Possible buffer overflow in HTTP request/reply" could only be configured in command line. They have since been added to the control panel of the Maximum size of HTTP headers (Application protection > Protocols > HTTP > Advanced properties).

Support references 65250 - 65820

Using the implicit HTTP proxy while the option Apply the NAT rule on scanned traffic (Application protection > Protocols > HTTP > Go to global configuration > Proxy menu) was enabled would generate a very large number of error messages to the console port (messages such as "XXX already released without rule YYYY"). Attempts to display such a large number of messages would cause excessive CPU consumption and would cause the firewall to freeze.

ICMP

Support reference 65930

The "Invalid ICMP message" alarm would be wrongly raised whenever legitimate ICMP packets were sent over a firewall with declared IPSec tunnels. This anomaly has been fixed.

S7 protocol

Support reference 67764

Since encrypted S7 traffic cannot be analyzed, packets would be wrongly blocked when an alarm is raised ("S7: response without corresponding request" or "S7: invalid protocol"). This anomaly has been fixed.

Fragmented packets

Support references 66850 - 66719

An anomaly in the management of fragmented packets would wrongly cause the first fragment to be blocked. This anomaly has been fixed.

IDS / Firewall mode

Support reference 65120

In a configuration such as the following:

  • The firewall used filter rules in IDS or firewall mode, and
  • The transparent HTTP proxy was enabled.

An anomaly in the management of address translation could cause a combination of connections presenting the same source IP address and the same source port. This anomaly has been fixed.

Virtual machines

Microsoft Hyper-V

Support references 66627 - 67132

On a Microsoft Hyper-V platform, virtual machines with several network interfaces could encounter issues enabling their last interfaces after restarting. This issue has been fixed.

Notifications

E-mail alerts

Support references 66708 - 66782

Notification e-mails sent through the STARTTLS protocol would be truncated. This anomaly has been fixed.

SNMP agent

Support reference 67726

The OID hrStorageType included in the MIB "HOST-RESOURCES-MIB" would no longer return results to SNMP requests. This anomaly has been fixed.

Hardware

Firewall clock

Support reference 58901

Whenever the battery that manages the firewall's clock malfunctioned, it would adopt a random date every time it started up. If this date was earlier than the validity of the appliance's license, the firewall would repeatedly restart. This anomaly has been fixed.

Web administration interface

Wi-Fi network

Support references 65333 - 68006

The web administration interface would wrongly reject the use of special characters (periods, dashes, etc.) in WiFi network names (SSID). This anomaly has been fixed.

Please be reminded that only the " character is prohibited in this field.

IPSec VPN

Support reference 67688

Whenever a peer ID was defined for an IPSec peer, this ID could no longer be deleted via the web administration interface. This issue has been fixed.

QoS monitoring

Support reference 66587

Data displayed in QoS monitoring curves (real time/history) did not match selected queues. This anomaly has been fixed.

Audit logs

Support reference 66838

Whenever a rule name was specified for a filter rule, this name would not appear in the Rule name column in connection logs. This anomaly has been fixed.

Support reference 67018

In Advanced search mode, dragging and dropping an IP address from the Source name or Destination name columns into filter criteria would result in an empty page of data. This anomaly has been fixed.

Certificates

Support references 59271 - 66735 - 64509

After the import of a certificate in PKCS12 format (including the full chain of certification), the certificate would not appear in the list of selectable certificates for an IPSec VPN peer. This anomaly has been fixed.

Logs - Syslog - IPFix

Support reference 67475

The progress bar during the formatting of a removable device (SD card) would not disappear after the completion of the operation. This anomaly has been fixed.

Authentication

Support reference 67256

The sslvpn interface could no longer be selected in the table matching authentication profiles to interfaces. This anomaly has been fixed.

Support reference 67587 - 67985

Whenever the Always display advanced properties checkbox in the firewall's Preferences was not selected, the buttons for selecting the proxy configuration file, logo or style sheet (Authentication > Captive portal > Advanced properties tab) would no longer appear in Mozilla Firefox. This anomaly has been fixed.

Support reference 68097

Title

The term Debug would systematically appear in the tab of the browser displaying the web administration interface. This anomaly has been fixed.

Network objects

Support reference 68250

When checking the use of a network object, the information displayed would indicate the line number in the filter policy (therefore including separators) instead of the number of the filter rule using the object. This anomaly has been fixed.

Stormshield Network Real-Time Monitor

"Hosts" view

Support reference 67297

Ever since version 3.3 of SNRTM, statistics on internal hosts that pass through a Stormshield v2 firewall would no longer be displayed. This anomaly has been fixed.
Do note that statistics concerning hosts located behind unprotected interfaces are displayed for firewalls with firmware in versions between 3.0 and 3.2.1.